1 /* $NetBSD: t_mprotect.c,v 1.3 2011/07/20 22:53:44 jym Exp $ */
4 * Copyright (c) 2011 The NetBSD Foundation, Inc.
7 * This code is derived from software contributed to The NetBSD Foundation
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
19 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
20 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
21 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
22 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
23 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
24 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
25 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
26 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
27 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
28 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29 * POSSIBILITY OF SUCH DAMAGE.
31 #include <sys/cdefs.h>
32 __RCSID("$NetBSD: t_mprotect.c,v 1.3 2011/07/20 22:53:44 jym Exp $");
34 #include <sys/param.h>
36 #include <sys/sysctl.h>
47 #include "../common/exec_prot.h"
50 static int pax_global
= -1;
51 static int pax_enabled
= -1;
52 static char path
[] = "mmap";
54 static void sighandler(int);
55 static bool paxinit(void);
56 static bool paxset(int, int);
67 size_t len
= sizeof(int);
70 rv
= sysctlbyname("security.pax.mprotect.global",
71 &pax_global
, &len
, NULL
, 0);
76 rv
= sysctlbyname("security.pax.mprotect.enabled",
77 &pax_enabled
, &len
, NULL
, 0);
86 paxset(int global
, int enabled
)
88 size_t len
= sizeof(int);
91 rv
= sysctlbyname("security.pax.mprotect.global",
92 NULL
, NULL
, &global
, len
);
97 rv
= sysctlbyname("security.pax.mprotect.enabled",
98 NULL
, NULL
, &enabled
, len
);
107 ATF_TC_WITH_CLEANUP(mprotect_access
);
108 ATF_TC_HEAD(mprotect_access
, tc
)
110 atf_tc_set_md_var(tc
, "descr", "Test for EACCES from mprotect(2)");
113 ATF_TC_BODY(mprotect_access
, tc
)
115 int prot
[2] = { PROT_NONE
, PROT_READ
};
120 fd
= open(path
, O_RDONLY
| O_CREAT
);
121 ATF_REQUIRE(fd
>= 0);
124 * The call should fail with EACCES if we try to mark
125 * a PROT_NONE or PROT_READ file/section as PROT_WRITE.
127 for (i
= 0; i
< __arraycount(prot
); i
++) {
129 map
= mmap(NULL
, page
, prot
[i
], MAP_SHARED
, fd
, 0);
131 if (map
== MAP_FAILED
)
136 ATF_REQUIRE(mprotect(map
, page
, PROT_WRITE
) != 0);
137 ATF_REQUIRE(errno
== EACCES
);
138 ATF_REQUIRE(munmap(map
, page
) == 0);
141 ATF_REQUIRE(close(fd
) == 0);
144 ATF_TC_CLEANUP(mprotect_access
, tc
)
149 ATF_TC(mprotect_err
);
150 ATF_TC_HEAD(mprotect_err
, tc
)
152 atf_tc_set_md_var(tc
, "descr", "Test error conditions of mprotect(2)");
155 ATF_TC_BODY(mprotect_err
, tc
)
159 ATF_REQUIRE(mprotect((char *)-1, 1, PROT_READ
) != 0);
160 ATF_REQUIRE(errno
== EINVAL
);
163 ATF_TC(mprotect_exec
);
164 ATF_TC_HEAD(mprotect_exec
, tc
)
166 atf_tc_set_md_var(tc
, "descr",
167 "Test mprotect(2) executable space protections");
171 * Trivial function -- should fit into a page
173 ATF_TC_BODY(mprotect_exec
, tc
)
179 xp_support
= exec_prot_support();
181 switch (xp_support
) {
184 "Execute protection callback check not implemented");
188 "Host does not support executable space protection");
190 case PARTIAL_XP
: case PERPAGE_XP
: default:
195 * Map a page read/write and copy a trivial assembly function inside.
196 * We will then change the mapping rights:
197 * - first by setting the execution right, and check that we can
198 * call the code found in the allocated page.
199 * - second by removing the execution right. This should generate
200 * a SIGSEGV on architectures that can enforce --x permissions.
203 map
= mmap(NULL
, page
, PROT_WRITE
|PROT_READ
, MAP_ANON
, -1, 0);
204 ATF_REQUIRE(map
!= MAP_FAILED
);
206 memcpy(map
, (void *)return_one
,
207 (uintptr_t)return_one_end
- (uintptr_t)return_one
);
209 /* give r-x rights then call code in page */
210 ATF_REQUIRE(mprotect(map
, page
, PROT_EXEC
|PROT_READ
) == 0);
211 ATF_REQUIRE(((int (*)(void))map
)() == 1);
213 /* remove --x right */
214 ATF_REQUIRE(mprotect(map
, page
, PROT_READ
) == 0);
217 ATF_REQUIRE(pid
>= 0);
220 ATF_REQUIRE(signal(SIGSEGV
, sighandler
) != SIG_ERR
);
221 ATF_CHECK(((int (*)(void))map
)() == 1);
227 ATF_REQUIRE(munmap(map
, page
) == 0);
229 ATF_REQUIRE(WIFEXITED(sta
) != 0);
231 switch (xp_support
) {
233 /* Partial protection might fail; skip the test when it does */
234 if (WEXITSTATUS(sta
) != SIGSEGV
) {
235 atf_tc_skip("Host only supports "
236 "partial executable space protection");
239 case PERPAGE_XP
: default:
240 /* Per-page --x protection should not fail */
241 ATF_REQUIRE(WEXITSTATUS(sta
) == SIGSEGV
);
246 ATF_TC(mprotect_pax
);
247 ATF_TC_HEAD(mprotect_pax
, tc
)
249 atf_tc_set_md_var(tc
, "descr", "PaX restrictions and mprotect(2)");
250 atf_tc_set_md_var(tc
, "require.user", "root");
253 ATF_TC_BODY(mprotect_pax
, tc
)
255 const int prot
[4] = { PROT_NONE
, PROT_READ
, PROT_WRITE
};
256 const char *str
= NULL
;
261 if (paxinit() != true)
265 * As noted in the original PaX documentation [1],
266 * the following restrictions should apply:
268 * (1) creating executable anonymous mappings
270 * (2) creating executable/writable file mappings
272 * (3) making a non-executable mapping executable
274 * (4) making an executable/read-only file mapping
275 * writable except for performing relocations
276 * on an ET_DYN ELF file (non-PIC shared library)
278 * The following will test only the case (3).
280 * [1] http://pax.grsecurity.net/docs/mprotect.txt
282 * (Sun Apr 3 11:06:53 EEST 2011.)
284 for (i
= 0; i
< __arraycount(prot
); i
++) {
286 map
= mmap(NULL
, page
, prot
[i
], MAP_ANON
, -1, 0);
288 if (map
== MAP_FAILED
)
291 rv
= mprotect(map
, 1, prot
[i
] | PROT_EXEC
);
293 (void)munmap(map
, page
);
296 str
= "non-executable mapping made executable";
302 if (pax_global
!= -1 && pax_enabled
!= -1)
303 (void)paxset(pax_global
, pax_enabled
);
306 atf_tc_fail("%s", str
);
309 ATF_TC(mprotect_write
);
310 ATF_TC_HEAD(mprotect_write
, tc
)
312 atf_tc_set_md_var(tc
, "descr", "Test mprotect(2) write protections");
315 ATF_TC_BODY(mprotect_write
, tc
)
322 * Map a page read/write, change the protection
323 * to read-only with mprotect(2), and try to write
324 * to the page. This should generate a SIGSEGV.
326 map
= mmap(NULL
, page
, PROT_WRITE
|PROT_READ
, MAP_ANON
, -1, 0);
327 ATF_REQUIRE(map
!= MAP_FAILED
);
329 ATF_REQUIRE(strlcpy(map
, "XXX", 3) == 3);
330 ATF_REQUIRE(mprotect(map
, page
, PROT_READ
) == 0);
333 ATF_REQUIRE(pid
>= 0);
336 ATF_REQUIRE(signal(SIGSEGV
, sighandler
) != SIG_ERR
);
337 ATF_REQUIRE(strlcpy(map
, "XXX", 3) == 0);
342 ATF_REQUIRE(WIFEXITED(sta
) != 0);
343 ATF_REQUIRE(WEXITSTATUS(sta
) == SIGSEGV
);
344 ATF_REQUIRE(munmap(map
, page
) == 0);
349 page
= sysconf(_SC_PAGESIZE
);
350 ATF_REQUIRE(page
>= 0);
352 ATF_TP_ADD_TC(tp
, mprotect_access
);
353 ATF_TP_ADD_TC(tp
, mprotect_err
);
354 ATF_TP_ADD_TC(tp
, mprotect_exec
);
355 ATF_TP_ADD_TC(tp
, mprotect_pax
);
356 ATF_TP_ADD_TC(tp
, mprotect_write
);
358 return atf_no_error();